Support iam policy member of domain type in iam scanner's required mode, #1093
Conversation
Codecov Report
@@ Coverage Diff @@
## dev #1093 +/- ##
=========================================
+ Coverage 83.29% 83.3% +0.01%
=========================================
Files 163 163
Lines 7829 7837 +8
=========================================
+ Hits 6521 6529 +8
Misses 1308 1308
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing this! Mostly style comment to improve readability by other people and in the future.
In addition, this fix will need to be ported to 2.0.
Finally, should we support this in whitelist mode and blacklist mode?
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() | ||
find_ancestor_mock = mock.MagicMock( | ||
side_effect=[[self.org789]]) | ||
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Backslashes should not be used for line continuation. So, do it like this:
rules_engine.rule_book.org_res_rel_dao.find_ancestors = (
find_ancestor_mock)
actual_violations = set(rules_engine.find_policy_violations( | ||
self.project1, policy)) | ||
|
||
# expected |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should drop this comment as the variable's name is already self-documenting.
self.assertEqual(expected_violations, actual_violations) | ||
|
||
def test_policy_all_projects_must_have_owners_from_wildcard_domain(self): | ||
"""Test a policy where the owner belongs to the required domain and the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a very good method doc, but the summary needs to be 1 line. So, let's break this up to something like this:
"""Test a policy where the owner belongs to wildcard domain.
Test a policy where the owner belongs to the required domain and the
domain is specified as a wildcard user ('members': ['user:*@xyz.edu'])
"""
rules_engine.rule_book.org_res_rel_dao = mock.MagicMock() | ||
find_ancestor_mock = mock.MagicMock( | ||
side_effect=[[self.org789]]) | ||
rules_engine.rule_book.org_res_rel_dao.find_ancestors = \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto on backslash continution
policy = { | ||
'bindings': [{ | ||
'role': 'roles/owner', | ||
'members': ['user:def@xyz.edu'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add a second test case for a non-xyz domain? user:def@abc.edu
So, that we know for sure if there is a violation, it will be triggered?
@@ -288,6 +288,28 @@ def create_from(cls, member): | |||
member_name = identity_parts[1] | |||
return cls(identity_parts[0], member_name=member_name) | |||
|
|||
def _user_is_in_domain(self, other): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This naming should follow boolean naming convention, and might better as: is_matching_domain()
@@ -288,6 +288,28 @@ def create_from(cls, member): | |||
member_name = identity_parts[1] | |||
return cls(identity_parts[0], member_name=member_name) | |||
|
|||
def _user_is_in_domain(self, other): | |||
"""Determine whether user belongs to domain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically, not a user
. But more clear as IAM policy member
. So:
"""Determine whether IAM policy member belongs to domain.
specification and the policy to check specifies users. | ||
|
||
Args: | ||
other (IamPolicyMember): The policy binding to check. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please clarify this, by adding member
like:
other (IamPolicyMember): The policy binding member to check.
@@ -1405,6 +1403,87 @@ def test_project_required(self): | |||
]) | |||
self.assertItemsEqual(expected_violations, actual_violations) | |||
|
|||
def test_policy_all_projects_must_have_owners_from_domain(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please clarify this method name, to show that it's using the domain member type. So, a good name would be:
test_policy_all_projects_must_have_owners_from_domain_type
|
||
self.assertEqual(expected_violations, actual_violations) | ||
|
||
def test_policy_all_projects_must_have_owners_from_wildcard_domain(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please clarify this method name, to show that it's using the wildcard domain from user type. So, a good name would be:
test_policy_all_projects_must_have_owners_from_wildcard_domain_of_user_type
@blueandgold -- addressed your review comments, please take a look. Thanks! |
@blueandgold not sure about whitelist / blacklist mode .. maybe we can open a separate issue for that? |
@blueandgold once this PR lands, I will port the changes to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, this so much more understandable now!
* ported code to 2.0-dev based branch * fix tests
Hello there!
This fixes issue #799. Please take a look and let me know what you think. Thanks!